GDPR (Post 2): Ensuring Compliance

Post 1 in our series of blog articles designed to raise awareness of GDPR, the EU’s new Global Data Protection Regulation coming into effect on the 25th May next year, presented a short overview of the new directive, what it means for your organisation and the risk of severe penalties for non-compliance.

In Post 2, we provide best-practice advice to guide you on your GDPR compliance journey.

We hope that you find the advice useful and helpful in ensuring compliance with the new directive.

Three main issues are covered:

Understanding the implications of GDPR for your organisation

The four key steps to ‘getting started’

Finding solutions

Understanding the Implications

GDPR represents the most significant change in European data protection regulation for two decades. The bar covering individual privacy rights, security and compliance has been raised significantly. It is critical, therefore, that your organisation fully understands the implications of GDPR and the key challenges presented.

As summarised in Post 1, GDPR has major implications for organisations in four main areas:

GDPR will impose much stricter control over where your organisation stores personal data and how it is used. Effective data governance, transparency, record keeping and reporting will become a legal requirement.

Your organisation will need to develop improved data policies providing control to data subjects and ensuring lawful processing of the data. There will be a requirement to provide privacy training, to audit and update data policies and, for many organisations, to employ a Data Protection Officer.

The first step to GDPR compliance is to undertake a data inventory identifying the personal data held by your organisation and where this currently resides. A wide range of personal data falls in-scope of the new rules including names; email addresses; social media posts; physical, physiological and genetic information; medical information; location; bank details; IP addresses; cookies; cultural identity and more.

It is critical to log what information your organisation currently holds, how this is collected and stored including emails; documents; databases; removable media; metadata; log files; backups and so on.

As well as auditing what personal information is held and where, there are additional questions to address. Why is the information collected? What is it used for and how is it processed? Who has access to the information and how is it shared? How long is it retained?

Manage

As discussed in Post 1, GDPR represents a profound change in data protection law in Europe; in particular, a massive shift in the balance of power from organisations collecting and using personal data to the individuals concerned. Individuals will have much greater control over the capture and use of their personal data.

In the new regulatory environment, organisations will be required to implement an effective data management policy governing how personal data is used and accessed.

A Data Governance Plan will be required defining policies, roles and responsibilities covering the management and use of personal data within your organisation to ensure that data handling practices are GDPR compliant. Data governance should cover all stages of the data lifecycle – at rest, in process, in transit, storing, recovery, archiving, retaining, disposal.

Data classification will be critical, implementing a classification scheme throughout your organisation essential for responding to data subject requests. Data should be organised and labelled properly according to type e.g. sensitive, context /use, ownership, custodians, administrators, users and so on.

Protect

Recent cyber-attacks have reinforced the need for information security to be a top priority for all organisations. As mentioned above, GDPR will raise the bar further.

Organisations will be required to ensure that appropriate technical and organisational measures are in place to protect personal data from loss, unauthorised access or disclosure.

Stringent security controls will be required to prevent, detect and respond to vulnerabilities and data breaches.

What about your breach detection and response procedures in the following areas – monitoring for and detecting system intrusions, system monitoring, breach identification, calculating impact, planned response, disaster recovery, notifying DPA and customers?

Report

Finally, GDPR sets new standards in transparency, accountability and record-keeping.

Organisations will need to be more transparent about how they handle personal data including clear documentation defining processes and personal data use.

Records will need to be kept on how the data is used; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries receive personal data and the legal basis of such transfers; organisational and technical security measures and data retention times that apply to various datasets.

Finding Solutions

As an accredited Microsoft Gold Partner, Bridgeall would be delighted to support your organisation in achieving GDPR compliance.

As shown in Figure 3 below, the Microsoft technologies we use are already GDPR ready. This will significantly reduce the effort required by your organisation in becoming compliant.

Please do not hesitate to contact us for an informal chat about your GDPR compliance requirements.

One thought on “GDPR (Post 2): Ensuring Compliance”

The point about ensuring compliance post 25th May is a good one. The fact is, this is more than a single audit of the current state of play; this is a fundemantal change to the way we do business, how we manage and process data and hands control back to the data subjects. Many organisations will find that their current work practices & technology is not fit-for-purpose post 25th May. So if they have not started planning for GDPR, they need to do so now or run the risk of not being compliant in time.